On 02/14/2013 09:05 AM, Simo Sorce wrote:
So as I proposed we can call ipa user-add from LDAP from a
non-transactional pre-op plugin. We just need to be careful about when
we allow that to avoid loops, but besides that problem it seem
relatively easy and does not require crazy things like playgrounds or
even full LDAP proxies.


I think I need a clarification because perhaps I didn't fully understand your proposal.

Is the idea with a non-transactional pre-op plugin it invokes user-add and then the pre-op returns *without* having modified ldap? In effect it acts as a trigger?

That still implies there has to be a separate tree where the foreign entity writes (and the pre-op plugin watches) because otherwise how could the pre-op plugin distinguish between framework writes and foreign writes?

If there is a separate tree where is the looping issue? You still haven't explained this.

Also, under the scenario that a foreign entity writes something into LDAP (somewhere) and it triggers us to call user-add via some mechanism then what happens when errors occur? The foreign entity will not know we rejected the operation nor why.

Also, don't forget they want to delete users, remove group membership, add group membership, add groups, remove groups etc. Some of these operations are dependent upon logic in our framework. I don't see how some of these operations can be reliably managed by a foreign entity simultaneously performing LDAP operations.


--
John Dennis <jden...@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to